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Executive  Summary 


Title:  INFORMATION  WARFARE:  ISSUES  ASSOCIATED  WITH  THE 

DEEENSE  OE  DOD  COMPUTERS  AND  COMPUTER  NETWORKS 

Author:  Eieutenant  Commander  Derek  E.  Eranklin,  United  States  Navy 

Thesis:  The  threat  to  the  Defense  Information  Infrastructure  (DII)  is  growing. 

Hackers  have  advanced  in  sophistication  and  the  potential  exists  for  an  alliance  of 
independent  hackers  and  terrorist/criminal  groups  that  may  threaten  the  critical 
information  pathways  of  the  armed  forces.  An  analysis  of  the  history  of  computer 
information  warfare  reveals  that  there  was  an  embarrassing  lack  of  readiness  and 
defensive  capability  available  to  the  armed  forces  of  the  United  States  prior  to  1999. 

With  the  establishment  of  the  Joint  Task  Eorce-Computer  Network  Defense  (JTE-CND), 
later  re-named  Joint  Task  Eorce-  Computer  Network  Operations  (JTE-CNO),  a  minimum 
capacity  to  respond  has  been  developed.  However,  as  the  issue  has  grown  in  importance, 
policy  makers  and  planners  have  come  to  realize  the  limitations  of  Computer  Network 
Attack  (CNA)  and  Computer  Network  Defense  (CND)  as  warfare  areas.  The  growth  of 
related  legal  and  law  enforcement  issues,  and  the  effect  of  possible  enemy  CNA  strikes, 
will  require  the  coordination  of  civilian,  armed  forces,  and  law  enforcement  officials. 

This  will  thus  prevent  CNA/CND  from  being  a  purely  military  issue. 

Discussion:  Although  the  Internet  is  more  than  three  decades  old,  it  is  only  in  the  last 

five  to  seven  years  that  senior  government  officials  have  given  serious  thought  to  the 
vulnerability  of  DOD  computer  networks  and  computers  systems.  Meanwhile,  potential 
adversaries  have  rapidly  embraced  information  technology  and  computer  network  attack 
as  force  multipliers  that  can  weaken  or  exploit  critical  vulnerabilities  of  a  larger 
adversary’s  information  infrastructure.  In  response  to  Joint  Vision  2010  and  its  emphasis 
on  information  dominance,  as  well  as  several  highly  publicized  network  intrusions,  the 
JTE-CND  (later  JTE-CNO)  was  established  in  1998. 

When  a  sophisticated  hacking  campaign  directed  at  sensitive  U.  S.  computers  was 
detected  in  1999,  serious  questions  arose  concerning  the  integrity  of  DOD  unclassified 
and  classified  computer  networks,  and  the  dependability  of  the  commercial 
communications  infrastructure  on  which  DOD  depends.  DOD  began  to  commit 
substantial  resources  to  the  protection  effort.  Despite  efforts  to  share  information  and 
develop  common  operating  procedure,  confusion  remains  regarding  authority  and 
responsibility.  The  GAO  recently  concluded  in  late  2001  that  despite  the  resources 
devoted  to  the  network  defense  mission,  as  a  whole  the  Eederal  government  is  only 
marginally  better  at  defending  its  computers  and  computer  networks  than  it  was  five 
years  ago. 

Conclusion:  Although  the  nation  as  a  whole,  and  the  armed  forces  specifically,  are 
better  prepared  than  in  1998  to  detect  and  blunt  the  effects  of  a  computer  attack,  the 
potential  damage  an  attack  could  cause  may  still  be  catastrophic,  although  this  would  still 
be  less  than  a  kinetic  attack.  However,  in  order  to  use  the  full  capability  of  CNA/CND 
many  legal  issues  must  be  resolved  (both  domestically  and  internationally).  U.S. 


constitutional  and  privacy  issues  must  be  resolved  and  international  agreements  must  be 
established  delineating  appropriate  use  of  computer  attack  and  defense  resources.  As 
potential  adversaries  gain  more  experience  and  have  more  sophisticated  tools  at  their 
disposal  (at  an  ever-eheaper  priee),  DOD  will  be  hard-pressed  to  eounter  the  threat. 
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Preface 


In  1998,  after  returning  from  an  overseas  assignment,  I  was  assigned  to  the 
Defense  Information  Systems  Agency  (DISA)  in  Arlington,  VA.  After  a  few  months  as  a 
program/budget  analyst,  I  was  then  attached  to  a  fledgling  new  organization:  the  Joint 
Task  Force-Computer  Network  Defense  (JTF-CND)  to  fill  the  Jl/4/8 
(Personnel/Logistics/Resources)  chief  billet.  In  this  capacity,  I  had  the  pleasure  of 
working  directly  for  the  commander.  Major  General  (as  of  this  writing  Lieutenant 
General)  John  H.  Campbell,  United  States  Air  Force,  who  also  wore  another  hat  as  the 
Vice- Director  of  DISA. 

My  experience  with  the  task  force  was  transformative.  As  a  senior  US  Navy 
lieutenant,  I  was  responsible  for  a  multimillion-dollar  budget  and  working  with  senior 
officers  in  a  fast  paced  joint  environment  that  seemed  more  being  part  of  a  frontier  town 
than  anything  else.  For  the  first  time,  I  was  exposed  to  a  high  technology,  computer 
intensive  environment  that  was  judged  by  some  to  be  a  new  and  transformational  type  of 
warfare.  Each  day  was,  by  turns,  exhilarating  and  humbling.  Not  only  was  I  the  entire 
staff  of  the  Jl/4/8  (J6-C4EInformation  Technology  responsibilities  were  later  added  to 
my  portfolio),  but  I  continued  to  be  amazed  as  I  learned  more  about  the  massive 
information  technology  infrastructure  that  allowed  the  US  armed  forces  to  efficiently 
conduct  global  operations. 

Today,  the  JTF-CNO  has  matured.  The  missions  of  computer  network  attack  and 
computer  network  defense  now  have  a  higher  profile  that  is  reflected  by  the  assignment 
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of  these  missions  in  the  Unified  Command  Plan  of  1999  to  the  Commander- in-Chief, 
Space  Command,  headquartered  in  Colorado  Springs,  Colorado.  From  an  initial  cadre  of 
18  armed  forces  and  civilian  staff  members  in  1998,  the  current  organization  is  projected 
to  grow  to  nearly  150  staff  members.  The  current  (April  2002)  JTF-CNO  commander  is 
Major  General  James  D.  Bryan,  United  States  Army.  The  constant  continues  to  be  the 
highly  professional  and  proficient  civil  service  civilians,  military  personnel,  and  private 
contractors  who  labor  in  anonymity  to  defend  Department  of  Defense  computers  and 
computer  networks.  I  have  been  proud  to  be  associated  with  them. 

No  preface  would  be  complete  without  my  acknowledgement  of  the  debt  I  owe  to 
numerous  individuals  in  the  preparation  of  this  work.  They  include  several  members  of 
the  JTF-CNO  (too  numerous  to  name)  who  generously  gave  of  their  time  and  expertise  to 
review  this  work.  I  am  also  especially  appreciative  to  my  faculty  mentors  at  the  U.  S. 
Marine  Corps  Command  and  Staff  College,  Dr.  Donald  F.  Bittner,  Ph.D.  and  Lieutenant 
Colonel  Charles  L.  Hudson,  USMC.  I  am  grateful  to  all  for  their  patience, 
encouragement,  expertise,  goodwill,  and  occasional  forceful  prodding.  The  success  of 
this  work  is  due  to  all  of  these  professionals;  any  mistakes  that  remain  are  mine  and  mine 
alone. 

Finally,  I  wish  to  thank  my  family,  my  wife  Cecilia,  my  daughters  Leslie  and 
Marguerite,  and  my  son.  Miles  for  their  patience  and  understanding.  With  their  support  I 
have  been  able  to  overcome  and  achieve,  without  them  success  and  accomplishment  are 
meaningless. 

DEREK  E.  ERANKEIN 
Eieutenant  Commander,  USN 
Quantico,  VA 
April  2002 
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The  New  Battlefield 


In  1999,  two  pieces  of  information  appeared  in  the  U.S.  press  and  attracted  little 
attention.  The  first  was  a  report  on  a  heretofore- secret  government  investigation  to 
determine  the  source  or  sources  of  intrusions  into  sensitive  US  government  computers. 
The  operation  was  named  “Moonlight  Maze.”  The  attacks  were  believed  to  have 
originated  from  Russian  government  offices  and  speculation  was  rampant  as  to  how  long 
the  intrusions  had  been  occurring,  whether  the  computer  probes  were  government 
sponsored  in  nature,  and  whether  sensitive  or  classified  material  may  have  been  accessed 
by  the  hackers.  ^ 

In  February  of  the  same  year,  two  Chinese  Air  Force  Colonels,  Qiao  Liang  and 
Wang  Xiangsui,  published  Unrestricted  Warfare.  That  it  appeared  at  all  in  Beijing  is 
indicative  of  government  approval.  It  is  believed  to  be  intended  as  a  primer  for  young 
officers  on  the  various  types  of  warfare  that  China  will  be  involved  in  the  new  century. 
Although  translations  of  the  work  were  slow  in  being  disseminated,  armed  forces 
intelligence  officials  in  the  United  States  are  alarmed  by  the  work’s  matter-of-fact 
emphasis  on  using  the  Internet  and  computer  networks  as  a  force  multiplier  to  cripple  an 
enemy’s  infrastructure.  Among  the  authors’  comments: 

If  the  attacking  side  secretly  musters  large  amounts 
of  capital  without  the  enemy  nation  being  aware  of  this  at 
all  and  launches  a  sneak  attack  against  its  financial  markets, 
then  after  causing  a  financial  crisis,  buries  a  computer  virus 


*  Anthony  Kimery,  “Moonlight  Maze Infowar,  3  December  1999,  URL: 

http://www.infowar.com/class  2/99/class2  120399b  J.shtml.  Accessed  14  January  2002.  Hereafter  cited 
as  Kimery,  Moonlight  Maze. 
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and  hacker  detachment  in  the  opponent’s  computer  system 
in  advance,  while  at  the  same  time  carrying  out  a  network 
attack  against  the  enemy  so  that  the  civilian  electricity 
network,  traffic  dispatching  network,  financial  transaction 
network,  telephone  communications  network,  and  mass 
media  network  are  completely  paralyzed,  this  will  cause  the 
enemy  nation  to  fall  into  social  panic,  street  riots,  and  a 
political  crisis.^ 


A  report  delivered  to  Congress  in  November  2001  was  particularly  disturbing  in 
its  candid  assessment  of  the  federal  government’s  computer  vulnerabilities.  The 
Government  Accounting  Office  (GAO)  report,  delivered  nearly  two  months  after  the 
September  11,  2001  terrorist  attacks  in  the  United  States,  concluded: 

Our  analyses  of  information  security  at  major 
federal  agencies  have  shown  that  federal  systems  were  not 
being  adequately  protected  from  computer-based  threats, 
even  though  these  systems  process,  store,  and  transmit 
enormous  amounts  of  sensitive  data  and  are  indispensable 
to  many  federal  agency  operations. 


The  obvious  conclusion  to  be  drawn  from  these  reports  is  that  the  federal 
government  and  the  Department  of  Defense,  in  particular,  remain  vulnerable  to  outside 
attack  and  exploitation  of  computers  and  computer  networks  at  the  dawn  of  the  2U‘ 
century.  Indeed,  despite  early  identification  of  the  critical  vulnerabilities  and  the  best 
efforts  of  hundreds,  perhaps  thousands,  of  armed  forces  personnel,  government  civilians, 
and  defense  contractors,  DOD  would  appear  to  be  only  marginally  better  protected  than 


^  Qiao  Liang  and  Wang  Xiangsui,  Unrestricted  Warfare  (Beijing,  China:  PLA  Literature  and  Arts 
Publishing  House,  1999),  145-146.  A  complete  text  of  this  work  is  available  at:  URL: 
<http://www.terrorism.com/documents/unrestricted.pdf> 

^  General  Accounting  Office,  Computer  Security:  Improvements  Needed  to  Reduce  Risk  to  Critical 
Federal  Operations  and  Assets  (Washington  DC:  GPO,  2001),  6. 
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when  it  began  to  examine  the  issue  of  proteeting  its  critical  vulnerability  infrastructure  in 
1997. 

At  the  dawn  of  the  21®'  century,  the  United  States  finds  itself  under  attack  on 
several  fronts  from  enemies  that  are  diverse  in  their  membership,  geographically 
dispersed,  and  technologically  sophisticated.  Moreover,  these  adversaries  are  motivated 
by  several  factors.  These  include  greed,  political  and  religious  ideology,  and  emotional 
fanaticism.  These  foes  vary  in  their  complexity.  The  threat  may  be  as  innocuous  as  a 
teenager  hacking  into  a  government  computer  system  to  impress  fellow  hackers  or  as 
serious  as  a  friendly  state  sponsoring  teams  of  sophisticated  hackers  to  conduct  “data- 
mining”  operations  to  gain  military  information  with  a  possible  use  of  such  knowledge 
against  the  US  in  the  future.  Furthermore,  the  last  few  years  have  also  seen  the 
emergence  of  cyberspace  guns  for  hire;  these  are  individuals  and  teams  who  hire  their 
services  to  the  highest  bidder  and  whose  targets  are  unclear."' 

The  US  government  responses  to  computer  threats  to  its  critical  infrastructure  will 
vary  widely.  This  depends  on  the  source  and  nationality  of  the  attackers,  whether  US 
laws  have  been  broken,  and  the  actual  damage  sustained.  It  is  a  tedious  business, 
complicated  by  multilayered  bureaucracies,  domestic  and  international  legal 
ramifications,  and  the  necessity  to  achieve  a  high  degree  of  confidence  that  the  act  is 
correctly  attributed  to  an  identifiable  person  or  organization. 


J.R.  Wilson,  “Cyberwarfare  101,”  URL:  <www.mit-kmi.com/ Archives/5  1  MIT/5  lArt4.cfm>. 
Accessed  31  December  2001.  Hereafter  cited  as  Wilson,  Cyberwarfare  online  article.  In  this  article, 
Wilson  describes  the  variety  of  hackers  that  proliferate  in  the  hacking  community.  They  cut  across  every 
demographic  in  terms  of  age,  education,  and  motivation.  However,  the  vast  majority  of  “problem”  hackers 
that  concern  DOD  are  young  and  easily  manipulated.  Furthermore,  with  the  profusion  of  more 
sophisticated  tools  available  to  more  people,  the  sophistication  level  of  hackers  is  dropping.  Few  hackers 
now  know  how  to  write  computer  code,  for  example. 
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While  the  JTF-CNO  is  not  the  only  organization  working  these  issues,  it  is  the 
lead  organization  within  the  DOD  for  computer  network  defense  and  computer  network 
attack.  As  such,  it  is  the  trigger-puller  for  this  new  branch  of  warfare.  It  is  the  pathfinder 
organization  for  DOD  computer  network  security,  yet  few  have  heard  of  it  and  fewer  still 
understand  its  mission. 


4 


Historical  Perspective 


In  July  1996,  the  Chairman  of  the  Joint  Chiefs  of  Staff,  Army  General  John  M. 
Shalikashvilli,  published  Joint  Vision  2010  (hereafter  referred  to  as  JV  2010).  In  it,  and 
its  follow  on  publication  Joint  Vision  2020,  the  concept  of  full  spectrum  dominance 
across  the  complete  range  of  armed  forces  operations  was  promulgated.^  JV  2010 
identified  information  technology  superiority  as  a  prerequisite  for  full  spectrum 
dominance.  JV  2010  also  assumed  that  gaining  and  maintaining  this  advantage  would 
require  defensive  as  well  as  offensive  capability.®  However,  in  1996,  the  bold  words  in 
JV  2010  did  not  match  the  reality  of  how  CINCs,  services,  and  agencies  operated.  Even 
as  JV  2010  was  distributed,  senior  armed  forces  theorists  and  policy  makers  recognized 
that  it  had  only  shone  a  small  light  on  an  enormous  problem.  There  was  still  much  to 
learn  about  the  scope  of  the  task  at  hand,  and  the  next  two  years  provided  impetus  to  the 
work  that  lay  ahead. 

Despite  the  spate  of  Internet  e-mail  viruses  over  the  last  few  years,  as  early  as 
1985  viruses  had  already  appeared  and  demonstrated  how  a  relatively  small  amount  of 
unsophisticated  computer  code  could  cripple  an  individual  computer  or  computer 
network.  From  six  viruses  that  had  been  identified  in  1987,  by  mid- 2001  the  figure  had 
grown  to  thousands  of  viruses  and  many  more  thousands  of  variants.  In  recognition  of 
the  potential  impact  that  interruption  of  the  nation’s  information  infrastructure  could  have 
on  business  and  government  operations,  in  July  1996,  the  Clinton  administration  issued 

^  Joint  Staff, /omf  Vision  2070  (Washington  DC:  GPO,  1996),  2. 
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Executive  Order  13010.  This  order  established  the  President’s  Commission  on  Critical 
Infrastructure  Protection  (PCCIP).  Although  the  commission’s  focus  was  a  national 
information  infrastructure  vulnerability  assessment,  it  was  also  tasked  with  establishing  a 
national  attack  warning  capability.  This  was  the  recommendation  that  brought  DOD  into 
this  arena. 

To  fulfill  the  charge  of  establishing  a  national  attack  warning  capability,  an  assessment  of 
existing  vulnerabilities  was  necessary.  In  June  1997,  in  the  wake  of  JV  2010  and  the 
establishment  of  the  PCCIP,  computer  experts  from  the  highly  secretive  National 
Security  Agency  (NSA)  were  assigned  the  task  of  breaking  into  DOD  computers  and 
computer  networks,  as  well  as  other  vulnerable  targets  in  other  Federal  agencies.  Using 
easily  obtainable  software  and  hardware,  the  “red  cell”  would  have  been  able  to  wreck 
havoc  on  computers  and  networks  throughout  the  Federal  government.^  The  exercise, 
dubbed  EFIGIBFE  RECEIVER,  shattered  existing  illusions  about  the  security  of  United 
States  information  technology  infrastructure.  Over  60%  of  the  U.S.  government  systems 
probed  during  the  exercise  were  discovered  to  have  security  holes  that  could  be  easily 


®  Joint  Staff,  Joint  Vision  2010,  20. 

’  U.S.  President,  Executive  Order  13010,  “Critical  Infrastructure  Protection,”  15  July  1996.  A  copy  may  be 
found  at  the  National  Archive  and  Records  Administration  site,  URL: 
http://www.nara.gov/fedreg/eol996.html.  Accessed  12  April  2002. 

^  A  red  cell  is  a  group  organized  to  test  the  effectiveness  and  security  of  an  organization’ s  defenses .  In  the 
case  of  the  NSA  red  cell,  the  team  was  prohibited  from  causing  real  damage  and  was  refereed  in  their 
efforts.  For  additional  information  on  the  ELIGIBLE  RECEIVER  red  cell  see:  Bill  Gertz,  “Eligible 
Receiver,”  Washington  Times,  16  April  1998. 
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Malicious  Activity  Continues  to  Climb 
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Unauthorized  DoD  Intrusions 
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"Information  Networks  must  be 
controlled,  protected,  &  managed  as 
effectively  as  weapon  systems” 

Lt  Gen  Harry  D.  Raduege,  DISA  Director 
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expioiiea.  inaeea,  rigure  i  aemonsiraies  mai  aciuai  reporiea  inirusion  iigures  aunng 
this  time  were  also  rising  despite  the  increased  monitoring  of  DOD  networks. 


Figure  1.  Malicious  Activity  Continues  to  Climb.  Source:  JTF-CNO,  JTF-CNO  Operations  Brief, 
May  2001.^® 

Another  equally  disturbing  discovery  appeared:  no  one  individual  or  agency  had 
authority  or  responsibility  for  coordinating  computer  network  defense  response  fiflftlthe 
Federal  government,  including  DOD.  Despite  the  fact  that  most  governmental  agencies 


®  Drawn  from  text  of  Command,  Control,  Communication,  Computers,  and  Intelligence  Surveillance 
Reconnaissance  online  forum  (C4ISR)  incorporated  in  “Eligible  Receiver  Exercise  Shows  Vulnerability,” 
Infowar.com,  22  December  1997,  URL:  <http://www.infowar.com/civil  de/civil  022698b.html-ssi>. 
Accessed  15  January  2002. 

’®  Brief  has  not  been  previously  published.  Brief  available  from  Operations  directorate  (J3)  of  the  Joint 
Task  Eorce-Computer  Network  Operations  (JTE-CNO),  co-located  in  the  Defense  Information  Systems 
Agency  (DISA)  headquarters  building  in  Arlington,  VA. 

’  *  Drawn  from  text  of  Command,  Control,  Communication,  Computers,  and  Intelligence  Surveillance 
Reconnaissance  online  forum  (C4ISR)  incorporated  in  “Eligible  Receiver  Exercise  Shows  Vulnerability,” 
Infowar.com,  22  December  1997,  URL:  <http://www.infowar.com/civil  de/civil  022698b. html-ssi>. 
Accessed  15  January  2002. 
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had  individuals  in  charge  of  information  technology,  training  was  haphazard  and  not 
standardized.  Even  more  indicative  of  the  problem,  many  system  administrators  (even  of 
classified  networks)  did  not  possess  the  appropriate  security  clearance  to  work  on  the 
systems  for  which  they  were  responsible,  and  there  was  little  or  no  information  sharing 
mechanisms  established  to  promote  prevention  or  to  mitigate  damage. 

The  press  and  public  were  slow  to  appreciate  the  importance  of  ELIGIBLE 
RECEIVER.  As  late  as  April  1998,  the  Assistant  Secretary  of  Defense  for  Public  Affairs, 
Kenneth  H.  Bacon,  minimized  the  importance  of  the  exercise.  He  benignly  declared, 
“...ELIGIBLE  RECEIVER... succeeded  beyond  its  planner’s  wildest  dreams  in 

1  9 

elevating. .  .awareness  of  threats  to  our  computer  systems. . .” 

While  the  assistant  secretary’s  comments  were  a  slick  information  operation 
itself,  in  actuality,  ELIGIBLE  RECEIVER  was  an  embarrassment  for  federal  government 
security  professionals.  Even  as  Assistant  Secretary  Bacon  spoke,  another  setback  was 
unfolding.  Since  Eebruary  1998,  intrusions  into  Pentagon  and  the  Massachusetts  Institute 
of  Technology  networks  had  been  detected.  More  ominously,  the  origin  of  these 
intrusions  appeared  to  originate  from  outside  the  United  States.  Contrary  to  the  modus 
operandi  used  by  most  amateur  hackers,  the  purpose  was  not  to  simply  deface  a  web  site 
and  leave  telltale  Internet  “graffiti.”  Rather,  the  objective  was  to  probe  these  sites  and  to 


Kenneth  H.  Bacon,  “DOD  News  Briefing  with  Assistant  Secretary  of  Defense  (Public  Affairs),”  press 
conference  available  at  URL:  <httt)://www. defenselink.mil/news/Aprl998/t0416 1996  t0416asd.html>.  16 
April  1998.  Accessed  14  January  2002 
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1  ^ 

download  information.  The  hackers  collected  numerous  passwords  and  planted 
“backdoors”  to  use  to  return  to  the  networks  undetected. 

The  subsequent  investigation  brought  together  resources  from  five  federal 
agencies  and  approximately  30  agents  from  the  Federal  Bureau  of  Investigation. The 
perpetrators  were  identified  as  two  Northern  California  teenagers  and  their  Israeli  based 
mentor,  an  eighteen-year-old  hacker  named  Ehud  Tenebaum  (who  preferred  his  online 
moniker  of  Analyzer).  Before  he  was  caught,  Tenebaum  bragged  about  breaking  into 
over  1,000  Internet  servers  and  establishing  120,000  computer  user  accounts  on  them. 
Establishment  of  these  accounts  would  allow  the  hackers  numerous  avenues  to  access  the 
servers  through  what  the  computer  system  would  assume  to  be  valid  accounts.  The 
Justice  Department,  in  cooperation  with  the  Israeli  government,  arrested  all  three  of  the 
suspects.  Still,  this  incident  revealed  United  States  vulnerability  to  even  unsophisticated 
hacking.  Three  young  hackers,  all  self-taught,  were  able  to  easily  access  sensitive 


Virginia  Key  “What  is  Solar  Sunrise,”  URL: 

<www.sans.org/newlook/resources/IDFAO/solar  sunrise. htni>.  Date  unknown.  Accessed  on  13  January 
2002.  Hereafter  cited  as  Key,  Solar  Sunrise. 

In  computer  parlance,  backdoors  are  software  computer  vulnerabilities  that  allow  programmers  to 
reenter  software  programs  and  networks  while  bypassing  normal  security  measures  such  as  passwords  and 
limited  access.  While  backdoors  have  a  legitimate  use  for  people  such  as  system  administrators,  the  term 
has  become  synonymous  with  hackers  who  are  intent  on  using  the  backdoors  to  disrupt  computer  networks. 

The  five  agencies  were  Department  of  Justice  and  its  subordinate  agency  the  Federal  Bureau  of 
Investigation,  Air  Force  Office  of  Special  Investigation,  National  Aeronautic  and  Space  Administration, 
and  the  Naval  Criminal  Investigative  Service.  For  more  information  see:  Department  of  Justice  press 
release,  “Israeli  Citizen  Arrested  in  Israel  for  Hacking  United  States  and  Israeli  Government  Computers,” 
found  at  URL:  <http://www.usdoi.gov/criminal/cvbercrime/ehudr)r.htm>.  18  March  1999.  Accessed  10 
January  2002. 

Key,  Solar  Sunrise. 

Key,  Solar  Sunrise.  Tenebaum  boast  must  be  viewed  skeptically.  An  FBI  profile  of  young  hackers  and 
their  culture  indicated  that  such  boastfulness  was  a  common  characteristic. 
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information.  Although  MIT  and  DOD  would  both  claim  that  the  information  was  not 
classified,  skepticism  remains. 

In  May  1998,  in  part  influenced  by  the  events  of  the  previous  two  years  (including 
recommendations  of  the  PCCIP*^  and  lessons  learned  from  ELIGIBLE  RECEIVER), 
President  Clinton  issued  a  Presidential  Decision  Direction  (PDD),  No.  63.  Although 
the  directive  contained  many  important  initiatives,  four  were  most  significant: 

1 .  Establishment  of  a  national  center  to  warn  of  and 
respond  to  attacks. 

2.  Requirement  for  the  entire  federal  government  to 
reduce  exposure  to  new  threats. 

3.  Establishment  of  an  office  of  a  national  coordinator  for 
infrastructure  protection. 

4-  Establishment  of  the  National  Infrastructure  Protection 
Center  (NIPC)  at  the  EBI  to  fuse  governmental 
resources  and  to  coordinate  responses  to  attacks  across 

90 

the  Eederal  government. 


Spurred  by  the  PCCIP  report,  the  Secretary  of  Defense  (SECDEE)  agreed  that  the 
time  had  come  to  create  a  single  organization  responsible  for  “...coordinating  and 


President’s  Commission  on  Critical  Infrastructure  Protection,  Critical  Foundations:  Protecting 
America’s  Infrastructures,  October  1997,  93-99. 

Presidential  Decision  Directive  NSC  63,  Critical  Infrastructure  Protection,  22  May  1998.  Full  text 
available  at  Federation  of  American  Scientists  website, 

URL:  http ://w w w . fas . org/irp/offdoc s/pdd/t)dd-63 .htm  Accessed  12  April  2002. 

It  is  worth  noting  that  the  NIPC  was  organized  and  modeled  after  the  Centers  for  Disease  Control  and 
Prevention.  This  is  logical,  given  the  medical  analogies  used  in  connection  with  computer  networks  such 
as  concepts  of  viruses,  infection,  and  containment.  See:  Michael  Tompkins,  “Computer  Network  Defense 
at  the  National  Level,”  URL:  <http://rrsans.org/countrv/defense.php>,  5  December  2000.  Accessed  14 
January  2002. 
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9  1 

directing  the  defense  of  DOD  computer  systems  and  computer  networks. . However, 
before  DOD  could  fully  man  the  new  Joint  Task  Force-Computer  Network  Defense 
organization,  it  had  to  contend  with  an  operation  known  as  Moonlight  Maze. 

Moonlight  Maze  was  the  title  given  to  the  investigation  of  Russian  intrusions  into 
U.S.  government  computers  and  networks.  These  intrusions  were  first  detected  in 
January  1999  and  continued  until  June  of  that  year.  Although  no  individual  was  charged 
with  any  crime  and  the  intrusions  are  believed  to  have  stopped,  the  investigation  is  still 
ongoing  (under  a  different  codename).  The  two  major  unanswered  questions  from  the 
investigation  remain:  was  the  hacking  state  sponsored,  and  was  the  DOD  classified 

9  9 

information  network  compromised? 

However,  equally  important  to  the  Clinton  administration  officials  was  that 
Moonlight  Maze  represented  a  quantum  leap  in  sophistication  from  previous  attacks. 
Furthermore,  the  possibility  that  a  sovereign  nation  was  engaged  in  this  activity  revealed 
numerous  flaws  in  the  government’s  approach  towards  computer  network  defense. 

Ultimately,  Moonlight  Maze  raised  more  questions  than  it  answered.  Still 
undetermined  was  the  question  of  how  does  the  United  States  apportion,  with  a  high 


Secretary  of  Defense  (William  S.  Cohen),  letter  to  CINCs,  services  and  agencies,  subject:  “Joint  Task 
Force-Computer  Network  Defense  Charter,”  4  December  1998.  Cited  hereafter  as  Cohen  Charter. 

The  U.S.  armed  forces  have  two  primary  computer  networks  that  it  relies  upon  to  conduct  day-to-day 
business.  The  first  is  the  Non-classified  Internet  Protection  Router  Network  or  NIPRNET.  The  second  is 
the  Secret  Internet  Protection  Router  Network  of  SIPRNET.  NIPRNET  is  DOD’s  worldwide  unclassified 
network.  While  the  network  is  a  separate  entity,  connectivity  is  achieved  by  “riding”  on  the  World  Wide 
Web  (or  Internet)  infrastructure.  This  means  that  this  information  is  susceptible  to  outside  manipulation 
and  attack,  and  has  little  inherent  security.  In  the  early  days  of  computer  networking,  it  was  even  possible 
to  reach  the  SIPRNET  through  numerous  special  access  gateways  in  NIPRNET.  These  gateways  have 
since  been  identified  and  shut  down  and  the  SIPRNET  is  now  a  completely  separate  and  encrypted 
network.  While  no  U.  S.  government  official  has  gone  on  record  to  admit  to  SIPRNET  compromise,  some 
observers  believe  otherwise.  Kimery,  Moonlight  Maze. 
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degree  of  certainty,  responsibility  for  an  intrusion?  If  the  responsible  party  is  a  nation, 
what  recourse  is  available?  As  of  1999,  few  countries  had  laws  criminalizing  hacking. 

In  fact,  the  laws  around  the  globe  had  not  caught  up  with  technological  advances.  Many 
nations  did  not  make  hacking  a  crime;  for  example,  hacking  in  Russia  was  not  a  crime 
when  the  Moonlight  Maze  intrusion  was  discovered.  In  the  absence  of  legal  restrictions, 
all  the  US  could  do  upon  discovery  of  the  Moonlight  Maze  intruder(s)  was  to  send  a 

9 

diplomatic  letter  of  protest. 

Moonlight  Maze  revealed  just  how  impotent  the  DOD  could  be  against  a 
determined  adversary.  Nevertheless,  even  as  technicians  and  analysts  were  compiling 
their  after  action  reports,  changes  were  underway  that  would  reshape  the  DOD  response 
to  future  threats.  The  answer  lay  in  building  a  new  organization  with  the  punch  to  protect 
and  perhaps  to  one  day  take  offensive  action  to  protect  the  DOD  information 
infrastructure. 


Kimery,  Moonlight  Maze. 
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Mission/Orqanization 


In  December  1998,  the  Joint  Task  Force-Computer  Network  Defense 
(JTF-CND)  was  established.  A  cadre  of  18  full  time  civilian  and  armed  forces  staff 
members  were  assigned  to  it  and  the  unit  was  tasked  to  achieve  final  operating  capability 
by  30  June  1999.  From  the  beginning,  the  organization  was  intended  to  be  a  stopgap 
measure  until  the  Unified  Command  Plan  process  could  address  CINC  responsibility  for 

9  S 

the  mission. 

The  initial  focus  of  the  organization  was  DOD  computer  network  defense  with  the 
joint  task  force  reporting  to  the  SECDEF.  After  approval  of  the  Unified  Command  Plan 
(UCP)  in  1999,  JTE-CND  reported  to  CINC,  Space  Command  (CINCSPACE),  a  four  star 
Air  Eorce  officer  headquartered  in  Colorado  Springs,  Colorado.  Over  time,  the  CND 
relationships  (depicted  in  Eigure  2)  became  formalized  and  continue  to  exist  today.  In 
April  2001,  JTE-CND  was  renamed  the  Joint  Task  Eorce-Computer  Network  Operations 
or  JTE-CNO.^*^ 

Erom  this  basic  beginning,  the  mission  of  the  task  force  has  evolved.  While  the 
initial  focus  of  effort  was  computer  network  defense,  over  time  advances  in  technology 
made  computer  network  attack  (CNA)  a  viable  mission.  However,  CNA  remains  a 

Cohen  Charter,  6-10. 

25 

The  Unified  Command  Plan  allocates  responsibilities  among  the  nine  combatant  commands.  It 
establishes  these  commands’  missions,  responsibilities,  and  force  structure.  The  plan  also  defines  the 
geographical  commands'  areas  of  responsibilities.  Taken  from  URL: 
<http://www.defenselink.mil/specials/unified>.  Accessed  14  January  2002. 
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sensitive  mission  and  its  employment  requires  SECDEF  or  higher  approval  for  legal 
reasons  (see  pages  25-36,  legal  section,  of  this  paper).  Nevertheless,  the  CNO  mission 
can  be  explained  in  the  following  context: 


Computer  Network  Operations  (CNO)  Responsibilities 

Computer  Network  Attack  ( CNA) 

Computer  Network  Defense  ( CND) 

•  Coordinator  for  CNA  requirements. 

•  Defend  DOD  networks  from 

development  and  employment  across 

intrusion 

CINCs,  services,  and  agencies 

•  Coordinate  DOD  response  to 

•  Provide  CNA  support  to  Unified 

intrusions  and  attack  across  DOD 

commanders  via  USSPACECOM  as 

•  Eaw  Enforcement  Coordination 

supporting  CINC 

•  Intelligence/Counterintelligence 

•  Conduct  CNA  Ops  (trigger  pullers) 

•  Intelligence/Counterintelligence 

•  Technical  Analysis 

Table  1.  CNO  Responsibilities  (Source:  JTF-CND  Charter  and  JTF-CNO  Concept  of  Operations)^’ 

The  JTE-CNO  has  five  components  drawn  from  each  branch  of  the  armed  forces 
and  from  DISA.  These  include: 


“  The  JTF-CND  became  the  JTF-CNO  on  2  April  2001.  USCINCSPACE  letter  to  Commander,  Joint  Task 
Force-Computer  Network  Operations  and  others,  subject:  “Redesignation  of  Joint  Task  Force-Computer 
Network  Defense,”  23  March  2001.  Copies  held  at  USCINCSPACE  and  JTE-CNO. 

”  Cohen  Charter,  2-7;  also  USSPACECOM  document,  subject:  “JTE-CNO  Concept  of  Operations.”  12 
April  2001 
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•  ACERT  (Army  Computer  Emergency  Response  Team)  a 
part  of  LIWA  (Land  Information  Warfare  Activity), 
located  at  Fort  Bel  voir,  VA 

•  AFCERT  (Air  Force  Computer  Emergency  Response 
Team):  67^’’  IW  at  Lackland  AFB,  Texas 

•  NAVCERT  (Navy  Computer  Emergency  Response  Team): 

Navy  Component  Task  Force  for  Computer  Network 
Defense  (NCTF-CND),  located  in  Washington,  D.C. 

•  MAR-CND  (Marine  Corps  Forces-Computer  Network 
Defense):  MIDAS  (Marine  Intrusion  Detection  Analysis 
System)  at  Quantico,  VA. 

•  DOD-CERT:  Support  provided  through  the  Global 

Network  Operations  Center  (GNOSC)  located  in  Arlington, 

VA. 

All  components  report  to  JTF-CND/CNO  for  tactical  matters  (i.e.,  the  JTF-CNO 
commander  has  tactical  control  or  TACON  of  these  subordinate  units).  However,  these 
components  also  play  a  dual  role  as  the  CERTs  (Computer  Emergency  Response  Teams) 
for  their  services  as  well  as  reporting  to  the  respective  service  or  agency  for  all  other 
operational  and  administrative  matters.  None  of  the  components  employs  CNA 
capabilities.  The  CNA  “toolkit”  resides  in  the  JTF-CNO  Operations  directorate  (J3)  and 
is  offered  to  the  supported  CINC  by  USSPACECOM.  Decisions  to  employ  CNA 
capability  rests  with  the  Secretary  of  Defense  and  the  President. 
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CNO  Relationships 


National  Infrastructure 
Protection  Center 
(NIPC) 


Info  Sharing  & 
Advisory  Notices 


Private  Sector 

Information  Sharing  and 
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Figure  2.  CNO  Relationships.  Source:  JTF-CNO  Command  Brief,  Nov  2001.^* 

As  the  single  DOD  point  of  contact  for  CND  and  CNA,  JTF-CNO  is  the  armed 
forces  equivalent  to  the  FBI’s  NIPC.  It  is  important  to  reiterate  that  JTF-CNO  has  no 
responsibility  for  protecting  any  computers  or  computer  networks  outside  DOD. 
However,  given  the  overlaps  between  commercial,  federal  government,  and  DOD 
infrastructures,  it  should  be  no  surprise  that  the  task  force  is  involved  in  information 

Original  brief  previously  unpublished.  Briefing  is  currently  held  in  Operation  Directorate  (J-3)  of  the 
Joint  Task  Force-Computer  Network  Operations,  which  is  co-located  at  the  Defense  Information  Systems 
Agency  headquarters  in  Arlington,  VA. 
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sharing  at  all  levels  and  across  all  bureaucratic  boundaries  and  maintains  an  active  liaison 
function.  Coordination  also  exists  between  the  JTF-CNO,  the  intelligence  community, 
and  DOD  law  enforcement  agencies  for  tactical  and  operational  matters.  Currently  based 
in  Arlington,  VA,  the  JTF-CNO  is  a  vibrant  and  growing  organization  that  is  expected  to 
grow  to  144  staff  members  by  the  end  of  fiscal  year  2002  (30  September  2002).^^ 

As  currently  organized,  the  JTF-CNO  looks  like  most  joint  US  armed  forces 
organizations.  The  commander  is  a  two-star  military  officer  who  is  dual-hatted  as  the 
Vice  Director  of  the  Defense  Information  Systems  Agency.  In  his  JTF  role,  he  has 
tactical  control  of  the  organizations  depicted  in  Figure  2.  The  deputy  commander 
(DCJTF-CNO),  currently  a  one-star  Navy  officer  as  depicted  in  Figure  3  assists  the  JTF- 
CNO  commander  in  his  duties.  Senior  advisors  include  a  chief  of  staff,  director  of 
technology,  staff  judge  advocate,  and  public  affairs  officer.  However,  the  organization 
also  has  twelve  permanent  liaison  officers  that  are  assigned  from  the  Defense  Intelligence 
Agency  (DIA),  National  Security  Agency  (NSA),  Air  Force  Office  of  Special 
Investigation  (AFOSI),  Naval  Criminal  Investigative  Service  (NCIS),  and  the  Army 
Criminal  Investigative  Division  (CID).  The  organizational  structure  also  provides  for 
eventual  assignment  of  Allied  liaison  officers.  Although  these  Allied  billets  are  currently 
unfilled,  it  is  expected  that  traditionally  close  allies,  such  as  the  United  Kingdom  and 
Australia,  will  likely  be  the  first  foreign  representatives.  Others  may  be  added  at  a  future 
date. 


Joint  Task  Force  -  Computer  Network  Operations  “JTF-CNO  (Command  Brief)  November  2001. 
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Figure  3.  JTF-CNO  Organization.  Source:  JTF-CNO  "Command  Brief"  1  November  2001. 

All  of  this  organizational  structure  and  inherent  capability,  including  hardware, 
software,  facilities  improvement,  contractor  support,  etc.,  will  come  at  a  significant  cost. 
Original  estimates  were  that  the  JTF-CNO  would  need  a  budgetary  increase  from  3.1 

30 

million  dollars  in  fiscal  year  2000  to  between  18-25  million  dollars  by  fiscal  year  2003. 

A  large  amount  of  this  increase  would  be  devoted  to  facilities  and  technology  upgrades, 
investments  in  the  private  sector  for  developing  new  CND  and  CNA  tools,  and  hiring 
contractors. 


Joint  Task  Force  -Computer  Network  Defense  “CINC  Decision  Brief’  28  February  2001. 
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It  is  worthwhile  to  note  that  the  JTF-CNO  is  not  the  only  organization  where 
CND  activity  takes  place.  At  an  elementary  level,  each  user  who  uses  standard  security 
practices  and  each  system  administrator  who  implements  updates  to  virus  software  is 
engaging  in  CND  activity.  But,  while  CND  and  CNA  are  elements  of  information 
operations,  it  is  crucial  to  understand  that  these  are  the  JTF-CNO’s  only  missions  and  that 
they  are  the  only  organization  charged  with  CND  and  CNA  responsibility  across  DOD. 

Other  DOD- wide  missions  related  to  other  information  operations  such  as 
psychological  operations  and  electronic  warfare  fall  under  the  purview  of  the  Joint 
Information  Operations  Center  (JIOC)  headquartered  at  Kelly  Air  Force  Base  in  San 
Antonio,  Texas. That  command  also  reports  to  CINCUSSPACECOM.  An  operational 
framework  is  in  place  to  allow  warfighting  consumers  to  do  one-stop  shopping  for  10  and 
each  command  is  organized  with  “away  teams”  that  travel  to  the  supported  CINC  and  can 
offer  a  variety  of  10  services.  While  not  officially  designated  as  the  information 
operations  “czar,”  USSPACECOM  is  as  close  as  any  organization  to  being  an  overall 
coordinator  for  the  military  services. 

While  the  non-CND/CNA  information  operations  capability  of  the  JIOC  and 
similar  organizations  throughout  DOD  deserve  further  study,  the  scope  of  such  research 
is  beyond  the  focus  of  this  work.  As  the  CND  and  CNA  designated  DOD  “trigger- 
pullers”  for  this  new  warfare  area,  the  JTE-CNO  will  be  the  organization  that  will  be 
examined  in  detail  throughout  this  work. 

While  CNA  and  CND  are  elements  of  information  operations  (lO),  there  is  a  broader  spectrum  of  lO 
tasks  that  include  psychological  operations,  civil  and  public  affairs,  electronic  warfare,  military  deception, 
and  operational  security.  Because  of  the  legal  ramification  of  CNA,  DOD  has  keep  the  CNA  and  CND 
mission  areas  separate  from  the  broader  group  of  lO  tasks. 
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CNA  Threats:  Fact  versus  Fiction 


There  may  be  those  who  still  believe  that  information  warfare  in  cyberspace  is 
still  some  years  away.  In  fact,  on  at  least  two  occasions  the  United  States  has  used 
information  warfare  to  influence  operations  on  the  battlefield.  During  1991  in  the  midst 
of  the  Persian  Gulf  War,  e-mail  used  by  Iraqi  commanders  was  intercepted.  While  the 
practical  effect  was  minimal  and  did  not  decisively  influence  the  conduct  of  the  war, 
nevertheless  the  episode  demonstrated  the  potential  for  information  operations  conducted 
in  cyberspace.  The  second  serious  attempt  at  computer  information  operations  occurred 
in  1998  during  the  Kosovo  air  campaign.  In  this  conflict,  the  effectiveness  of 
Yugoslavia’s  air  defense  network  was  undermined  by  the  manipulation  of  the 
interconnected  computers  of  the  system.  Deceptive  messages  and  false  targets  were 
inserted  to  deceive  the  enemy. 

Similar  attempts  to  influence  the  enemy’s  perception  of  the  battlefield  litter  the 
historical  record.  During  World  War  II,  numerous  examples  of  information  operations 
can  be  cited,  the  most  elaborate  and  perhaps  most  famous  of  which  were  the  numerous 
deception  operations  undertaken  in  support  of  the  June  1944  Normandy  landings. 

David  A.  Fulghum  and  Robert  Wall  “Combat-Proven  Infowar  Remains  Underfunded,”  Aviation  Week  & 
Space  Technology ,  26  February  2001,  52. 

Fulghum  and  Wall,  52. 

The  planners  of  the  Normandy  invasion  went  to  great  lengths  to  integrate  deception  operations  into  the 
invasion  planning.  Since  the  Germans  were  certain  the  aggressive  U.S.  Army  officer  General  George  S. 
Patton  would  lead  the  invasion.  Allied  planners  created  the  fictitious  First  U.S.  Army  Group  (FUSAG)  and 
made  sure  that  the  Germans  were  fed  a  stream  of  data  that  they  could  verify  through  Germany’s  spy 
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While  technology  has  advanced  since  these  early  attempts  of  the  last  decade, 
caution  must  be  used  in  order  not  to  overstate  what  is  possible  in  the  realm  of  computer 
information  warfare.  Scenarios  of  hackers  taking  over  nuclear  launch  capability  are  far¬ 
fetched  fiction;  one  JTF-CNO  official,  Commander  Robert  Gourley,  formerly  the  J2 
(Intelligence  Officer)  of  JTF-CNO,  believes  that,  for  the  foreseeable  future  cyber 
weapons  will  not  come  close  to  the  destructive  potential  of  conventional  kinetic  weapons 
and  certainly  will  not  approach  the  destructive  power  of  nuclear  weapons.  Gourley  has 
stated: 


It  is  easy  to  overestimate  the  capabilities  of  computer 
network  attacks.  I  don’t  think  we  will  ever  reach  the  stage 
where  you  could  bring  down  an  entire  society  with 
cyberattack.  If  properly  executed,  such  an  attack  could 
cause  trillions  of  dollars  of  damage  to  an  economy  and 
even  kill  people  by  crashing  airlines,  for  example,  but  that 
is  not  a  threat  to  completely  destroying  our  economy.  The 
only  threat  to  our  society  I’ve  seen  on  that  scale  is  a  nuclear 
attack. 

If  this  assessment  is  correct,  then  why  the  concern  and  focus  on  cyber  war?  The 
answer  lies  in  the  number  and  origin  of  potential  threats.  While  the  single,  ubiquitous 
hacker  is  still  perceived  as  a  serious  but  manageable  threat  by  Gourley  and  the  JTF-CNO, 
hackers  of  all  types  have  increased  their  individual  capability  through  hacker  tools  easily 
downloaded  from  the  Internet  and  have  begun  to  cooperate  with  virus  writers  (a  different 


network.  Ultimately,  the  plan  convinced  Hitler  of  the  Allies  intention  to  land  a  Calais  and  thus  Hitler  keep 
in  reserve  forces  to  repel  what  he  believed  was  the  true  landing  in  force  at  Calais.  This  error  is  credited 
with  buying  the  Allies  enough  time  to  establish  a  foothold  ashore.  One  resource  for  more  information 
(along  with  some  of  Patton’s  more  colorful  language)  may  be  found  at  the  Patton  Museum  of  Cavalry  and 
Armor  website,  URL:  http ://knox- w w w . army . mil/museum/pattonsp . htm  accessed  29  April  2002. 

Wilson,  Cyberwarfare  online  article. 
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subset  of  the  hacker  culture).  There  is  even  some  evidence  to  suggest  alliances  are 
developing  between  independent  hackers  and  criminal/terrorist  organizations.^^ 

Since  the  terrorists’  attacks  of  September  2001,  those  working  in  the  world  of 
computer  network  operations  have  experienced  an  uneasy  lull.  Some  organizations  have 
even  had  the  first  drop  in  computer  security  incidents  since  the  tracking  of  such  incidents 
began.  In  addition,  a  wave  of  attacks  expected  as  retaliation  after  the  start  of  the  bombing 
in  Afghanistan  never  materialized.^^ 

Nevertheless,  analysts  familiar  with  the  capabilities  of  cyber-terrorist 
organizations  and  individuals  continue  to  believe  a  serious  and  widely  scaled  attack 
continues  to  be  only  a  matter  of  time.  The  Information  Assurance  Newsletter  recently 
published  a  list  of  the  most  plausible  threats.  These  include: 

•  Cyber  terrorists  hack  into  international  banking  networks, 
resulting  in  a  global  loss  of  confidence  in  the  financial 
system  and  significant  financial  losses. 

•  Computer  network  attacks  disrupt  trading  in  the  major 
stock  markets.  Huge  financial  losses  and  plunging  investor 
confidence  ensue. 


Wilson,  Cyberwarfare  online  article. 

Lisa  Hoffman,  “A  Surprise:  Fewer  Cyber- Attacks  after  9-11,”  Scripps  Howard  News  Service  available  at 
URL:  <www.knowstudio.com/shns/storv.cfm?pk-CYBERSPACE-01-25-02&CAT-II>.  accessed  26 
January  2002.  This  article  stated  that  the  U.S.  Eederal  Computer  Incident  Response  Center  (EEDCIRT) 
had  recorded  a  nearly  50%  drop  in  security  incidents  in  the  month  after  the  1 1  September  2001  terrorist 
attacks  in  the  United  States.  As  of  January  2002,  monthly  incident  numbers  were  still  less  than  two-thirds 
of  the  expected  rate.  SPACECOM  CINC  Gen.  Ralph  Eberhart  attributed  the  drop  in  incidents  to  hackers 
knowing  “we’re  mad,  and  they’re  worried  about  repercussions.” 
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•  Disruption  of  air  traffic  control  system.  Public  fear  about 
safety  of  air  travel  increases.  Massive  losses  to  airline  and 
related  industries  occur. 

Q  O 

•  Disruption  of  e-commerce  through  attack  of  Internet  sites. 

While  any  of  these  attacks  may  seem  daunting  enough,  these  are  not  the  only 
challenges  facing  the  JTF-CNO.  Competition  for  funding  increased  after  the  1 1 
September  terror  attacks  amongst  DOD  organizations  as  well  as  other  government 
departments.  Nearly  every  government  agency  became  more  proactive  in  seeking  funds 
to  increase  force  protection  capability,  harden  physical  sites,  decrease  technology 
vulnerability,  and,  in  general,  raise  the  level  of  preparedness  of  their  organizations. 

Many  organizations,  some  for  the  first  time,  recognized  the  necessity  of  aggressively 
protecting  information  and  ensuring  connectivity  throughout  their  units.  The  result  has 
been  a  large  increase  in  organizations  that  have  a  vaguely  cyber-sounding  name  and  has 
only  added  to  the  confusion  of  who  is  in  charge  government-wide  for  responding  to 
potential  cyber  attacks. 

In  response  to  the  cacophony  of  requirements  that  the  White  House  received  from 
throughout  the  government.  President  George  Bush  signed  Executive  Order  1323 1  in 
October  2001.  The  stated  goal  was  to  “ensure  protection  of  information  systems  for 
critical  infrastructure,  including  emergency  preparedness  communications,  and  the 

The  Information  Assurance  Newsletter  is  a  produced  by  lATAC  (Information  Assurance  Technology 
Analysis  Center)  and  is  closely  tied  to  the  JTF-CNO  and  DISA.  Ed  Sbrocco,  Tom  Ward,  and  Chris  Baden, 
“Cyber  Terror  -  Potential  for  Mass  Effect,”  lA  (Information  Assurance)  Newsletter  A,  no.  4  (Winter 
2001/2002),  6. 
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physical  assets  that  support  such  systems  in  the  information  age.”  Although  at  first  blush 
similar  to  the  Clinton  era  executive  orders  related  to  infrastructure  protection,  Executive 
Order  13231  is  significant  because  for  the  first  time  national  infrastructure,  such  as  the 
banking  system,  telecommunications  systems,  and  electrical  grids,  will  now  be  under  the 

OQ 

same  umbrella  as  the  Defense  Information  Infrastructure. 

A  key  player  in  the  order  is  the  recently  created  position  of  Assistant  to  the 
President  for  Homeland  Security.  He  or  she  becomes  a  powerful  voice  for  federal 
government  infrastructure  protection.  Issues  related  to  protection  of  and  recovery  from 
computer  network  attacks  must  be  coordinated  with  the  Homeland  Security  office.  While 
it  is  still  too  early  to  tell  what  effect  this  will  have,  the  potential  for  dilution  of 
CINCUSSPACECOM’s  authority  and  diminution  of  the  JTE-CNO  responsibility  is  a 
distinct  possibility. 


U.  S.  President,  Executive  Order  13231,  “Critical  Infrastructure  Protection  in  the  Information  Age,’’  16 
October  2001.  Version  found  in  Federal  Register  66,  no  202  (18  October  2001):  53063.  Hereafter  cited  as 
Executive  Order  1 323 1. 
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Legal  Considerations^^ 

As  CNA  and  CND  information  warfare  capabilities  have  matured,  defense  policy 
makers  have  begun  to  wrestle  with  the  legal  implications  of  cyberspace  activities.  Where 
once  it  may  have  been  appropriate  to  use  the  metaphor  of  a  wild  west  or  gold  rush  town 
for  cyberspace,  a  more  appropriate  metaphor  is  now  that  of  a  US  territory  in  the  late  19th 
century.  Like  a  territory,  the  Internet  has  matured  beyond  its  completely  lawless  stage. 
Order  is  now  being  imposed,  albeit  unevenly.  However,  before  cyberspace  matures 
further,  questions  of  law  and  privacy  must  be  resolved.  The  implications  extend  beyond 
the  armed  forces  sphere  and  involve  questions  of  international  law  and  US 
constitutionality. 

The  JTF-CNO  is  very  involved  in  this  debate.  One  of  its  most  important  duties  is 
to  identify  the  source  of  computer  attack  and  then  to  attribute  it  to  a  person,  organization, 
and  country  of  origin.  The  level  of  certainty  will  determine  how  the  attack  is  to  be 
handled.  If  the  intrusion  or  attack  is  US  based  (and  the  offender  can  be  identified  as  a  US 
citizen),  then  the  matter  is  turned  over  to  the  appropriate  law  enforcement  agencies. 
However,  if  the  intruder  or  attacker  is  foreign  based,  then  the  matter  is  passed  to  the 


A  thorough  review  of  the  legal  literature  related  to  Information  Warfare  is  beyond  the  scope  of  this  work. 
This  section  seeks  to  highlight  only  a  few  of  the  most  important  legal  issues.  For  example,  the  Electronic 
Communications  Privacy  Act  and  copyright  issues  are  not  addressed.  For  a  thorough  overview  of  how 
these  and  other  issues  relate  to  the  Information  Warfare  fight,  readers  are  advised  to  review  the  Dhillon  and 
Smith  article  cited  later  in  these  footnotes. 

The  JTF-CNO  has  organic  law  enforcement  representatives  from  DOD  agencies  Naval  Criminal 
Investigative  Service  (NCIS),  Army  Criminal  Investigative  Division  (CID),  and  Air  Force  Office  of  Special 
Investigations  (AFOSI),  while  investigations  may  also  involve  other  federal  and  local  agencies). 
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appropriate  intelligence  or  diplomatic  agency,  such  as  the  CIA  or  the  State  Department. 

If  the  matter  is  serious  enough,  military  contingencies  may  be  planned. 

The  debate  revolving  around  the  legal  implications  of  information  warfare 
generally  do  not  include  issues  related  to  CND.  The  right  for  a  nation  to  employ 
defensive  measures  to  protect  itself  is  specifically  stated  in  Article  5 1  of  the  United 
Nations  charter;  although  few  of  the  founders  of  the  United  Nations  could  have 
envisioned  the  right  of  self-defense  would  one  day  extend  to  an  unseen  world  of  electrons 
moving  about  the  globe.  It  is  in  the  interest  of  the  US  to  ensure  that  international  law  and 
custom  support  actions  taken  to  neutralize  these  threats.  This  includes  those  treaties 
relating  to  the  use  of  space  and  international  telecommunications  as  well  as  domestic 

43 

statutes. 

The  initial  legal  difficulty  is  identification.  How  will  organizations  determine  if  a 
criminal  act  (the  act  of  an  individual  or  group  in  violation  of  criminal  law)  or  an  act  of 
war  (the  act  of  a  nation  in  violation  of  international  law)  has  been  committed?  The 
complexity  of  computer  code  and  the  tendency  of  software  to  contain  errors  may  also 
result  in  innocent  malfunctions  being  mistaken  for  criminal  or  terrorist  activity. 
Furthermore,  even  when  incidents  can  be  attributed  to  a  deliberate  action,  attribution  is 

Major  David  J.  DiCenso,  USAF  (Ret),  “IW  Cyberlaw:  The  Legal  Issues  of  Information  Warfare,” 
Airpower  Journal  (Summer  1999),  86. 

James  P.  Terry,  “The  Lawfulness  of  Attacking  Computer  Network  in  Armed  Conflict  and  In  Self- 
Defense  in  Periods  Short  of  Armed  Conflict:  What  are  the  Targeting  Constraints?,”  Armed  Forces  Law 
Review,  Vol  169  (September  2001),  87-89. 

Lawrence  T.  Greenberg,  Seymour  E.  Goodman,  and  Kevin  J.  Soo  Hoo,  Information  Warfare  and 
International  Law,  online  edition  (Washington  DC:  National  Defense  University  Press,  2001),  URL: 
<www.dodccrp.org/iwilindex.htm>.  accessed  23  January  2002. 
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still  an  issue  of  paramount  concern.  For  example,  in  Moonlight  Maze,  the  fact  that  the 
computers  used  were  in  Russian  government  offices  did  not  necessarily  prove  that  the 
Russian  government  sponsored  the  intrusions.  It  was  equally  possible  that  one  or  more 
employees  were  using  government  computers  without  the  knowledge  of  their  superiors 
and  were  not  part  of  an  officially  sanctioned  plan  Unlike  “kinetic”  attacks  (physical 
attacks  such  as  those  using  bombs  or  bullets),  there  are  often  few  reliable  indicators  that 
aid  in  attribution.  Without  this  proof  of  origin  and  intent,  international  cooperation  for 
extradition  or  subsequent  punishment  by  other  nations  of  offenders  becomes  difficult  and 
groups  that  may  pose  a  cyber- threat  to  the  U.S.  military  can  protect  their  plausible 
deniability. 

A  second  legal  issue  is  US  justification  of  retaliatory  acts.  In  recent  years,  US 
action  has  typically  been  preceded  by  a  flurry  of  activity  designed  to  develop 
international  consensus  and  to  validate  such  military  action  under  Article  5 1  of  the  UN 
Charter.  Whether  the  US  is  willing  to  undertake  “kinetic”  (military)  action  because  of 
computer  attack  is  an  unanswered  question.  Another  unclear  issue  is  whether  computer 
attack  and  kinetic  proportional  response  can  be  correlated.  Does  the  induced  crash  of  an 
electrical  grid  control  system,  which  results  in  no  deaths,  warrant  a  cruise  missile  attack 


Greenberg,  Goodman,  Soo  Hoo.  The  authors  include  an  extended  discussion  of  the  difficulties  in 
prosecuting  or  extraditing  individuals  based  on  current  international  law.  For  example,  French  courts  often 
refuse  to  extradite  individuals  for  the  sole  purpose  of  punishing  the  offender  for  laws  committed  in  another 
country.  In  other  words,  a  murderer  may  be  extradited,  because  murder  is  also  a  French  crime.  However, 
French  extradition  of  an  individual  for  a  crime  that  is  only  a  crime  in  the  United  States  would  be  unlikely. 

It  is  significant  to  note  that  the  US  (as  well  as  most  other  Western  nations)  has  responded  in  a  similar 
manner. 

United  Nations  General  Assembly.  Charter  of  the  United  Nations.  First  session.  26  June  1945.  Article 
51  has  been  referenced  numerous  times  by  the  US  to  justify  action  in  the  wars  including  Kosovo,  Iraq  and 
Afghanistan.  In  part.  Article  5 1  recognizes  the  right  of  “. .  .individual  or  collective  self-defense  if  an  armed 
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response?  What  if  intensive  eare  patients  were  to  die  because  of  such  an  attack  or 
perhaps  aircraft  were  to  crash  because  air  control  systems  are  disrupted?  For  now,  there 
is  no  scale  to  consult  and  international  law  is  undefined.  Resolution  of  this  issue  awaits 
international  cooperation  and  legal  agreements. 

A  third  legal  issue  for  consideration  is  that  the  rapid  pace  of  technology  has  left 
legal  systems  around  the  globe  trying  to  catch  up  to  the  technology.  Perhaps  due  to  the 
perceived  threat  to  the  nation’s  critical  infrastructure,  the  US  government  has  moved 
quickly  to  outlaw  illegal  activity  that  occurs  within  US  national  boundaries  (see  Figure  5) 
and  to  develop  a  series  of  precedents  for  protecting  information  infrastructure.  Some 
observers,  including  the  legal  scholar  Mark  Shulman,  have  judged  the  collection  of  new 
US  federal  laws  related  to  cyberspace  to  be  the  best  in  the  world. But  some  other  states 
have  not  been  as  quick  to  realize  that  the  Internet  does  not  respect  territorial  boundaries 
and  that  countries  whose  laws  are  antiquated  will  experience  difficulty  in  prosecuting 
hackers  or  more  serious  criminals.  In  one  of  the  most  publicized  examples,  the  Filipino 
creator  of  the  “I  LOVEYOU”  virus  could  not  be  prosecuted  under  Philippine  laws  that 

AQ 

existed  at  the  time  (May  2000)  he  promulgated  it.  The  Philippines,  like  most  second 
and  third  world  nations,  did  not  have  any  reference  in  their  legal  codes  specifically 
criminalizing  promulgation  of  destructive  computer  code.  Moreover,  where  there  are 
laws  pertaining  to  cyberspace,  most  are  primarily  concentrated  on  issues  of  copyright 

attack  occurs  against  a  Member  of  the  United  Nations . . .”  In  a  cyberspace  environment,  it  may  be  difficult 
to  convince  other  nations  that  it  is  acceptable  to  classify  computer  attacks  as  armed  conflict. 

Mark  Russell  Shuman,  Legal  Constraints  on  Information  Warfare  (Maxwell  Air  Force  Base,  Alabama: 
Air  University  Press,  1999),  8-9. 

“’Love  bug’  prompts  new  Philippine  Law,”  USA  Today,  14  June  2000,  URL: 
<www.usatodav.com/life/cvber/tech/cti095.htm>  Accessed  27  January  2002. 
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infringement,  freedom  of  speech,  and  privacy  rather  than  issues  related  to  war.  Until  the 
community  of  nations  comes  together  to  agree  on  legal  sanctions,  law  enforcement 
agencies  will  continue  be  hampered. 


US  Law  and  Cyberspace 

Law 

Impact 

Penalty 

Computer  Fraud  and 

-  Prohibits  cyberspace  fraud 

Punishment 

Abuse  Act 

(U.S.C  §  1029) 

varies 

(Primary  US  Hacker 

Details  crimes  of 

according  to 

Law).  Passed  into 

computer  espionage 

nature  of  crime. 

law  October  16, 

Prohibits  unauthorized 

Maximum 

1986. 

access  to  computer 
based  financial  records 
Criminalizes 
unauthorized  access  to 

US  government 
computers 

Established  criminal 
cyber-trespass  law 
Prohibits  trafficking  in 
computer  passwords 

penalty:  Fine 
and/or  20  years 
imprisonment 

Wiretap  Act.  Passed 

U.S.C  §1030.  Makes  it  unlawful  to 

Punishment 

into  law  January  5, 

intentionally  intercept,  use,  or 

varies 

1999 

disclose  or  use  to  intercept  use,  or 
disclose  any  wire,  oral  or  electronic 
communication.  Notable 
exceptions  include  systems 
administrators  with  consent  of  user 
(hence  the  notice  most  network 
users  receive  upon  login  that  says 
use  of  the  system  constitutes 
consent  to  monitor),  and  court 
order. 

according  to 
circumstances. 
Maximum 
penalty:  Fine 
and/or 

imprisonment 
for  not  more 
than  ten  years 
for  initial 
offense.  Up  to 
twenty  years  for 
subsequent 
offense. 

Table  2:  US  Law  and  Cyberspace.  Sources:  Mark  Russell  Shulman,  Legal  Constraints  on 

Information  Warfare  (Maxwell  Air  Force  Base;  Air  University  Press,  1999),  8-9.  Title  18, 
U.S.C§1029  and  §1030. 
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A  fourth  problem  is  the  domestic  and  international  legal  constraints  that  must  be 
addressed  as  information  warfare  increases  in  importance  and  significance.  Among  the 
most  interesting  topics,  are  those  related  to  the  Fourth  Amendment  to  the  constitution,  the 
Foreign  Intelligence  Surveillance  Act  (FISA),  the  Posse  Comitatus  Act,  and  issues  related 
to  the  Law  of  Armed  Conflict  (LOAC). 

The  Fourth  Amendment  states:  “the  right  of  the  people  to  be  secure  in  their 
persons,  houses,  papers,  and  effects,  against  unreasonable  searches  and  seizures,  shall  not 
be  violated,  and  no  warrants  shall  issue,  but  upon  probable  cause  supported  by  Oath  or 
affirmation,  and  particularly  describing  the  place  to  be  searched,  and  the  persons  or 
things  to  be  seized.”^^  Since  CND  and  CNA  activities  may  involve  probes  and  scans  of 
private  computers  from  which  attacks  may  originate,  the  Fourth  Amendment  would  seem 
to  provide  protection  to  computer  attackers  (under  the  rubrics  of  protected  places  and 
things  or  probable  cause).  However,  although  U.S.  courts  have  generally  held  that  the 
Fourth  Amendment  protects  information  on  computers,  some  court  decisions  have  noted 
that  this  protection  is  not  absolute  when  applied  to  cyberspace,  particularly  where  there  is 
a  diminished  expectation  of  privacy.  Users  of  e-mail  and  Internet  users  do  not  have  the 
same  expectation  of  privacy  in  cyberspace  that  users  of  the  postal  system,  for  example, 
can  expect. 

This  is  not  simply  an  academic  or  legal  debate  for  policy  makers.  The 
determination  of  where  constitutional  rights  begin  and  end  in  cyberspace  will  determine 

U.S.  Constitution,  Amendment  IV 

Joginder  S.  Dhillon  and  Robert  I.  Smith,  “Defensive  Information  operations  and  Domestic  Law: 
Limitations  on  government  investigative  techniques,’’  The  Air  Force  Law  Review  50,  (2001),  I35-I74. 
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what  activities  will  require  court  approval  to  be  conducted.  This  means  or  at  least  implies 
that  certain  activities  may  be  protected,  thereby  giving  a  potential  attacker  refuge  from 
discovery  and/or  prosecution.  Law  enforcement  agencies  may  find  that  suspects  are  able 
to  hide  behind  a  constitutional  shield  and  avoid  prosecution,  and  military  strategists  may 
discover  that  the  enemy  in  cyberspace  is  nearly  impossible  to  trace  and  identify  with  a 
high  level  of  confidence. 

Nevertheless,  where  there  exists  a  diminished  expectation  of  privacy,  the  Supreme 
Court  has  recognized  that  in  certain  circumstances  or  where  “special  needs”  exist, 
warrant  less  searches  may  be  made.  For  example,  Dhillon  and  Smith  theorize  that  in 
order  to  ascertain  the  identity  of  a  network  intruder  into  a  government  system,  it  may  be 
necessary  to  authorize  a  special  needs  exception.  In  their  words,  “if  the  government  has  a 
reasonable  suspicion  unauthorized  users  are  attempting  to  gain  access  to  critical 
infrastructures,  a  limited  special  needs  exception  may  be  appropriate,  particularly  if  the 
action  taken  are  relatively  unintrusive  and  for  limited  duration.  Clearly,  U.S.  domestic 
law  needs  to  reflect  the  changing  technological  landscape. 

No  example  was  more  indicative  of  the  way  in  which  U.S.  domestic  law  has 
lagged  behind  the  growth  of  cyberspace  than  that  of  the  Foreign  Intelligence  Surveillance 
Act  (FISA).  Passed  during  the  Ford  administration  and  in  the  wake  of  Watergate 
excesses  of  power.  Congress  sought  to  regulate  legitimate  electronic  surveillance  while 
limiting  the  potential  abuses  of  presidential-directed  warrant  less  surveillance  operations 
against  political  enemies.  Essentially,  the  act  divided  potential  surveillance  subjects  into 

Dhillon  and  Smith,  147.  (emphasis  added) 
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two  camps:  U.S.  citizens,  including  lawful  resident  aliens  and  companies  incorporated  in 
the  U.S.,  and  agents  of  foreign  powers  or  foreign-based  groups  based  in  the  U.S.  who  are 
not  protected  by  U.S.  constitutional  guarantees.  The  U.S.  citizens/lawful  aliens  are 
protected  to  an  extent  against  electronic  surveillance,  although  surveillance  can  be 
authorized  via  court  order,  but  the  agents  of  foreign  powers  or  foreign-based  groups  have 
no  such  protection. 

Designed  in  a  world  where  the  masses  had  no  access  to  computers,  FISA  was  not 
something  that  generated  much  in  the  way  of  comment  or  outcry.  However,  in  the  more 
than  twenty  years  since  the  act  took  effect,  computers  have  become  widespread,  and 
hacking  incidents  and  computer  intrusions  have  grown  just  as  quickly.  For  years,  U.S. 
based  hackers  were  essentially  protected  by  the  FISA  which  prohibited  issuance  of 
electronic  surveillance  orders  unless  probable  cause  could  be  shown  that  the  subject  of 
the  surveillance  might  be  an  agent  of  a  foreign  power  or  working  in  concert  with  a 
foreign  state.  Since  most  of  the  subjects  did  not  have  any  obvious  ties  to  a  foreign 
government,  an  offender  was  usually  only  caught  after  he/she  had  caused  significant 
damage.  By  far,  the  more  likely  outcome  was  that  the  hacker  simply  disappeared  back 
into  anonymity.  New  laws,  including  the  passage  of  the  PATRIOT  Act  have  closed  the 

c  o 

loopholes  that  existed  before  the  terrorist  attacks  on  America.  However,  it  is  logical  to 


Dhillon  and  Smith,  160-165. 

Provide  Appropriate  Tools  Required  to  Intercept  and  Obstruct  Terrorism  ( PATRIOT)  Act  of 2001,  H.R. 
3162,  S.  1510,  Public  Law  107-56.  This  new  law  provides  less  legal  maneuvering  room  for 
hackers/attackers  to  hide  themselves.  Penalties  for  cyber-trespassing  and  related  cyber  crimes  cyber  crimes 
have  been  increased  and  the  threshold  for  granting  subpoenas  to  obtain  electronic  records  in  investigations 
is  lowered.  The  law  was  passed  over  the  strenuous  objections  of  civil  libertarians  and  organizations  such  as 
the  American  Civil  Liberties  Union.  Cited  hereafter  as  PATRIOT  Act  of  2001. 
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assume  that  some  foreign  power  may  have  taken  advantage  of  this  loophole  and  was  able 
to  avoid  detection  and  was  protected  by  the  FISA. 

The  Posse  Comitatus  Act  also  hampers  organizations  such  as  the  JTF-CNO  and 
other  military  organizations  in  their  efforts.  The  act  was  signed  into  law  in  1878  in 
response  to  Southern  complaints  of  harassment  by  Federal  troops  used  for  law 
enforcement  during  Reconstruction;  this  law  prohibits  the  use  of  the  armed  forces  to 
execute  the  laws  of  the  U.S.  against  its  citizens.  Special  accommodation  has  been  made 
for  allowing  Congress  and  the  President  to  authorize  the  military  to  conduct  some 
operations,  such  as  drug  interdiction,  but  the  act  has  remained  largely  untouched  since  its 
passing  and  there  is  little  political  will  to  change  its  wording. 

The  Posse  Comitatus  Act  had  the  practical  effect  of  preventing  active  military 
involvement  in  tracking  down  intruders  and  hackers  in  DOD  networks.  It  is  just  for  that 
reason  that  the  JTF-CNO  and  similar  organizations  have  now  integrated  law  enforcement 
personnel  within  their  organization  to  handle  investigative,  surveillance,  and  arrest 
functions  in  much  the  same  way  as  the  Coast  Guard  performs  law  enforcement  function 
while  assigned  to  a  Navy  boarding  party  in  drug  operations.  This  law  enforcement 
component  is  equally  valuable  when  trying  to  identify  and  apprehend  offenders  across 


Title  18,  U.S.  Code,  Section  1385. 

Bonnie  Baker,  “The  Origins  of  the  Posse  Comitatus,”  Aerospace  Power  Chronicles,  November  1999. 
Online  version  available  at  URL:  http://www.airpower.maxwell.af.mil/airchronicles/cc/bakerl.html.  In  the 
last  century.  Presidential  authority  was  used  on  rare  occasions  to  negate  Posse  Comitatus.  Examples 
include  the  use  of  the  Army  under  General  Douglas  MacArthur  to  break  up  World  War  I  demonstrators 
during  the  Washington  “Bonus  March”  in  March  1932  and  President  Harry  Truman’s  threatened  the  use  of 
the  Army  to  break  a  railroad  strike  in  May  1946.  Curiously,  the  act  only  applies  directly  to  the  U.  S.  Army 
and  Coast  Guard. 


33 


international  borders.  At  present,  only  when  the  “bad  guy”  is  a  country  or  military  force 
of  a  country  can  the  CNA  trigger  be  pulled. 

Finally,  there  is  the  issue  of  CNA  and  the  Law  of  Armed  Conflict.  Based  on  the 
Geneva  Conventions  of  1949  and  1977,  the  agreements  from  these  conventions  form  a 
rulebook  for  modem  warfare.  These  rules  seek  to  protect  civilian  populations,  outlaw 
discriminate  attacks  on  populated  cities,  and,  in  general,  seek  to  set  boundaries  for  the 
conduct  of  war. 

However,  these  boundaries  may  not  be  useful  in  the  conduct  of  CNA.  For 

cn 

example,  perfidy  is  outlawed.  There  are  also  remnants  of  a  chivalric  past  that  remain  in 
most  modem  militaries  that  help  mitigate  the  violence  of  warfare.  Societal  and  legal 
injunctions,  for  example,  reward  warriors  for  preventing  casualties  to  women  and 
children  and  ostracize  at  a  minimum  those  who  are  involved  in  atrocities. 

One  may  argue  that  the  Law  of  Armed  Conflict  and  chivalric  notions  can  exist 
because  the  opponent  can  be  identified  and  their  status  determined.  However,  on  the 
modern  cyber-battlefield,  there  is  no  way  to  determine  for  sure  who  the  opponent  may  be. 
Is  the  hacker  who  is  trying  to  access  classified  information  about  troop  movements  in 
time  of  war  a  curious  teenager  or  a  professional  solder?  The  answer  will  determine  the 
acceptable  response  to  the  hacking  activity.  If  excessive  force  is  applied  against  what 
turns  out  to  be  a  relatively  harmless  teenager  (perhaps  a  U.S.  unit  decides  to  permanently 
take  out  the  troublesome  spy  with  a  kinetic  attack),  it  is  not  a  great  leap  in  logic  to 

Schulman,  11. 

Perfidy  is  unlawful  trickery  of  the  opposition.  Examples  include  faking  surrender  to  gain  an  advantage; 
pretending  to  be  a  noncombatant  or  pretending  to  be  a  neutral  party  by  wearing  the  uniform  or 
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conclude  that  someone  in  the  military  command  may  face  charges  of  killing  what  the 
international  community  may  regard  as  a  noncombatant. 

Problems  can  arise  from  not  only  the  death  of  people,  but  also  the  destruction  of 
protected  buildings  and  facilities.  Among  the  Geneva  conventions  is  the  Convention  for 
the  Protection  of  Cultural  Property.  Included  in  this  category  are  religious  sites,  dams 

C  Q 

and  reservoirs,  hospitals,  and  cultural/historic  sites.  All  are  protected  in  wartime  so  long 
as  they  are  not  used  in  a  manner  to  shelter  enemy  military  capability,  or  overtly  support 
or  promote  the  war  effort.  Would  the  U.S.  violate  this  convention  if  its  military  force 
disrupted  an  electrical  power  grid  and  the  result  was  patients  dying  who  depended  on 
electrical  power  to  run  their  life  support  equipment?  What  if  farmland  flooded  to  such  a 
degree  that  crops  were  ruined?  The  U.S.  could  possibly  be  accused  of  violating  these 
international  agreements,  as  part  of  an  enemy’s  information  war  against  this  country. 

An  opposing  argument  explored  by  Schulman  is  the  belief  that  information 
operations,  including  CNA  can  ultimately  save  lives.  By  minimizing  or  eliminating  the 
possibility  of  civilian  casualties  and  damage  to  civilian  infrastructure,  some  military 
ethicists  argue  that  the  sooner  IW  tactics  are  employed,  the  less  likely  permanent  damage 
will  linger  in  an  enemy’s  country,  and  the  less  infrastructure  will  need  to  be  rebuilt. 

Taken  to  its  logical  extreme,  IW  may  eliminate  the  need  to  recreate  the  horrors  of 
Hiroshima  and  Nagasaki,  Dresden  and  Cologne. 

Yet,  despite  the  tantalizing  possibilities  of  waging  a  “surgical”  CNA/IW  war, 
there  are  still  very  complicated  issues  to  resolve.  For  instance,  the  same  Protocol  I  of  the 

identification  of  a  neutral  party,  such  as  the  UN.  However,  this  does  not  prohibit  military  forces  from  using 
deception,  misinformation,  or  other  means  to  mislead  the  enemy.  Schulman,  14. 
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Geneva  Convention  states  that  combatants  must  distinguish  themselves  from  the  civilian 
population.  The  intent  is  to  distinguish  who  is  a  combatant  and  therefore  a  “legal”  target, 
and  who  is  not.  When  forces  operate  in  the  physical  world  this  is  relatively  easy  to  do. 
The  military  man  or  woman  will  usually  be  in  uniform.  If  they  are  using  a  vehicle,  the 
airplane,  truck,  or  tank,  it  should  have  markings  that  identify  the  country  of  origin.  By 
separating  and  clearly  identifying  military  personnel  and  their  infrastructure  both  become 
valid  targets.  However,  what  happens  when  those  same  forces  use  civilian 
communications  lines  (ATT,  MCI,  etc)  to  transmit  voice  or  data  communications?  Does 
the  use  of  the  civilian  communications  spectrum  mean  that  the  communications  network 
is  now  a  legitimate  target? 

It  is  apparent  that  the  legal  ramifications  of  information  warfare  are  very  complex, 
far-reaching,  and  still  to  be  assessed  within  domestic  and  international  legal  forums. 

Until  these  issues  are  resolved,  national  and  armed  forces  leaders  would  be  wise  to  tread 
carefully  or  risk  alienating  allies  and  violating  existing  international  treaties  and 
agreements. 


Schulman,  15. 
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Conclusion 


The  day  may  come  when  warfighters  look  back  on  war  in  the  late  20th  century 
with  something  approaching  nostalgia.  When  that  time  comes,  the  warrior  may  long  for 
the  days  when  the  enemy  was  clearly  identified  and  could  be  engaged  in  a  definite  time 
and  space.  While  the  argument  can  be  made  that  warfighting  in  the  past  25  years  has 
grown  more  complicated,  information  warfare  has  the  potential  to  become  more  complex 
to  an  exponential  degree.  It  is  an  area  of  conflict  that  is  global  in  scope  that  touches  on 
every  element  of  national  power;  it  also  reaches  across  civilian,  armed  forces,  law 
enforcement,  and  defense  boundaries.  Although  warfare  as  traditionally  known  is  a 
complicated  business,  two  factors  make  information  war  very  different. 

The  first  is  that  identification  of  the  enemy  is  extremely  difficult,  if  not 
impossible.  Attacks  that  originate  inside  of  the  United  States  can  be  handled  via  law 
enforcement  and  criminal  penalties.  However,  what  about  those  that  originate  outside  of 
a  nation’s  borders?  Does  the  fact  that  a  hacker  attack  or  criminal  intrusion  originates  in 
another  country  mean  that  that  country  has  sponsored  the  action?  Of  course  not,  and  that 
is  part  of  the  dilemma.  Furthermore,  sophisticated  hackers  possess  the  ability  to  “spoof’ 
(impersonate)  individuals  online  to  such  a  degree  that  attribution  with  a  high  degree  of 
confidence  is  difficult.  But,  depending  on  the  context  in  which  these  intrusions  and 
attacks  occur,  the  United  States  may  be  compelled  to  respond  with  “kinetic”  (bombs, 
bullets,  etc.)  or  CNA  assets.  This  is  particularly  true  if  the  action  is  evaluated  as  a  serious 
terrorist  threat  to  the  civilian  or  armed  forces  critical  infrastructure. 
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However,  would  such  an  action  be  considered  an  appropriate  use  of  force  under 
international  law?  International  case  law  is  murky  and  ill  defined.  Although  nations 
have  the  inherent  right  of  self-defense,  that  right  was  recognized  during  a  time  that  did 
not  envision  cyber-warfare.  Whether  a  cruise  missile  attack  or  the  disruption  of  a 
nation’s  communication  or  electrical  power  infrastructure  is  an  appropriate  response  to  a 
denial  or  service  attack  is  questionable.  The  severities  of  unintended  consequences  from 
defensive  (or  offensive)  actions  are  difficult  to  determine.  Will  disruption  of  another 
country’s  infrastructure  result  in  the  deaths  of  innocents?  Will  the  global  world 
community  support  the  United  States  to  a  certain  threshold  and  then  no  further? 
Currently,  there  is  no  scale  of  moral  equivalency  to  which  the  armed  forces  and  civilian 
officials  can  refer  to  help  them  with  these  decisions.  It  is  no  wonder  that  authorization  to 
employ  CNA  remains  at  the  highest  levels  of  civilian  authority. 

The  second  major  difference  between  conventional  war  and  information  war  is 
that  the  players  may  be  almost  anyone  who  can  operate  a  keyboard.  Where  an  armed 
forces  uniform  and  identification  with  a  fighting  force  defined  combatants  in  centuries 
past,  the  cyberspace  opponents  may  be  anyone  from  a  curious  teenager  to  a  technically 
sophisticated  terrorist  to  a  highly  educated  operator  in  the  employ  of  a  nation  state. 
Furthermore,  determining  the  motivation  for  that  opponent  will  also  be  difficult.  Is  the 
threat  simply  an  individual  criminal  intent  on  robbery?  Alternatively,  is  the  attacker  on 
the  other  end  of  the  connection  inspired  by  patriotism,  religious  fanaticism,  nationalism, 
ideological  commitment,  or  something  else?  The  answer  may  dictate  whether  a  response 
is  necessary  and  the  means  of  the  response.  Again,  for  now  there  is  little  guidance  for 
staffs  and  decision  makers  to  follow. 
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Despite  the  uncertainty,  there  are  some  hopeful  signs.  After  the  1 1  September 
2001  terrorist  attacks,  there  has  been  a  drop  in  the  number  of  computer  intrusions  and 
attacks  detected  by  the  JTF-CNO  and  the  NIPC.  Some  have  attributed  the  decline  to 
increased  defensive  capability,  others  to  tougher  penalties  and  investigative  power  via  the 
controversial  PATRIOT  Act.  In  the  words  of  U.S.  Space  Command  commander.  General 
Eberhart  believes  they  “are  afraid  to  challenge  us  in  this  realm,  because  they  know  we’re 
mad,  and  they’re  worried  about  repercussions.”^^ 

Although  some  may  take  heart  that  organizations  such  as  U.S  Space  Command 
are  taking  the  lead  in  combating  cyber-adversaries,  this  writer  would  caution  that  there  is 
room  for  uncertainty  as  well  as  hope.  The  SPACECOM  arm  charged  with  the  execution 
of  the  CNA/CND  mission,  the  JTE-CNO,  is  undermanned,  underfunded,  and  faced  with  a 
tremendous  mission  challenge.  Imagine  having  the  responsibility  for  defending  all  DOD 
computers  and  computer  networks  with  a  budget  of  less  than  20  million  dollars  and 
(currently)  less  than  one  hundred  assigned  personnel!  It  is  a  huge  task  that  will  only  grow 
more  difficult  over  the  next  decade.  One  can  be  hopeful  because  the  JTE-CNO  is  a 
pathfinder  organization.  This  implies  a  larger  and  more  capable  organization  is  expected 
to  evolve  at  sometime  in  the  future.  Meanwhile,  as  the  nation  builds  and  fortifies  its 
cyber  defenses,  its  adversaries  will  become  more  sophisticated  as  will  the  technology  and 
software  they  employ.  The  race  for  information  dominance  and  information  assurance  is 
on,  with  the  US  in  the  lead.  The  question  is  how  long  that  lead  will  last. 


Hoffman,  “A  Surprise:  Fewer  Cyber- Attacks  after  9-11,”  online  article 
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Appendix  A 


CERT 

CINC 

CNA 

CND 

DISA 

DOD 

GAO 

GNOSC 

JTF-CND 

JTF-CNO 

JV  2010 

FOAC 

NIPC 

NSA 

PATRIOT 

PCCIP 

PDD 


Acronyms 

Computer  Emergency  Response  Team 

Commander-in-Chief 

Computer  Network  Attack 

Computer  Network  Defense 

Defense  Information  Systems  Agency 

Department  of  Defense 

General  Accounting  Office 

Global  Network  Operations  Security  Center 

Joint  Task  Force-Computer  Network  Defense 

Joint  Task  Force-Computer  Network  Operations 

Joint  Vision  2010 

Faw  of  Armed  Conflict 

National  Infrastructure  Protection  Center 

National  Security  Agency 

Provide  Appropriate  Tools  Required  to  Intercept  and  Obstruct 
Terrorism 

President’s  Commission  Critical  Infrastructure  Protection 
Presidential  Decision  Directive 
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Appendix  B 

CND/CNA  Event  Timeline 

1988  First  Internet  Virus 

1991  GNOSC  (Global  Network  Operations  Security  Center)  established 
1993  DOD  CERT  (Computer  Emergency  Response  Team)  established 

1996  Executive  Order  13010  signed 

1997  Joint  Vision  2010  published 

-  Eligible  Receiver  exercise 

-  Clinton  Administration  produces  Critical  Infrastructure  Protection 
document 

1998  Solar  Sunrise  intrusion  detected 

-  PDD  (Presidential  Decision  Directive)  63  signed 

-  JTE-CND  formed 

1999  Moonlight  Maze  intrusions 

2000  USSPACECOM  assigned  CND  mission 

-  National  Infrastructure  Protection  Plan  published 

-  E-commerce  denial  of  service  attacks  against  EBay  and  other  online 
vendors 

-  Joint  Vision  2020  published.  Decision  Superiority  one  of  the  main 
pillars. 

2001  JTE-CND  changes  name  to  Joint  Task  Eorce-Computer  Network 
Operations.  USSSPACECOM  receives  CNA  mission  and  assigns 
responsibility  for  execution  to  JTE-CNO. 
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Appendix  C 


A  Service  Perspective 

Upon  first  examination,  the  Marine  Corps  warfighting  philosophy  might  not  seem 
as  compatible  to  waging  information  warfare  as  the  other  services,  particularly  as 
information  warfare  relates  to  computer  network  operations.  The  emphasis  on  the  ability 
to  “shatter  the  enemy’s  cohesion  through  a  series  of  rapid,  violent,  and  unexpected 
actions  that  create  a  turbulent  and  deteriorating  situation  with  which  he  cannot  cope” 
seems  to  focus  on  the  type  of  combat  that  comes  to  mind  when  one  thinks  of  such  battles 
as  Tinian  and  Inchon.  However,  such  a  view  is  erroneous. 

The  modern  Marine  Corps  has  indeed  addressed  information  operations  and  has 
integrated  these  operations  into  the  Marine  Air  Ground  Task  Force  (MAGTF)  and  single 
battle  concepts.  Marine  Corps  information  operations  are  viewed  as  supporting 
operations  to  decisive  maneuver  warfare.  The  goal  is  to  “use  information  to  deny, 
degrade,  disrupt,  destroy,  or  influence  an  adversary  commander’s  methods,  means,  or 
ability  to  command  and  control  his  forces  and  to  inform  target  audiences  through 
informational  activities.”^ ^ 


U.S.  Marine  Corps,  FMFM  1:  Warfighting  (Washington,  DC:  GPO,  1989),  61. 

Marine  Corps  Combat  Development  Command,  “Marine  Corps  Warfare  Publication  (MCWP)  3-40.4 
Information  Operations  (Coordinating  Draft),”  URL: 

http://www.doctrine.usmc.mil/mcwp/view/mcwp3404/mcwp3404.pdf  Accessed  22  March  2002.  5. 
Hereafter  cited  as  MCWP  3-40.4  Draft. 
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In  much  the  same  way  as  the  other  services,  the  Marine  Corps  views  information 
warfare  as  being  composed  of  more  than  just  generic  computer  network  operations. 
Offensive  information  operations  are  broken  down  into  the  following  methods: 

•  Operational  security  (OPSEC) 

•  Military  deception 

•  Electronic  warfare  (EW) 

•  Psychological  operations  (PSYOP) 

•  Physical  attack/destruction 

•  Computer  network  attack. 

Defensive  information  warfare  elements  include: 

•  Physical  security 

•  Operation  Security  (OPSEC) 

•  Counter-propaganda 

•  Counter-deception 

•  Information  assurance  (lA) 

•  Electronic  protection 

•  Counter-intelligence 

•  Computer  network  defense  (CND).^^ 

During  MAGTE  operations,  information  operations  may  even  become  the  main  effort  of 
an  operation. 

Significantly,  although  the  Marine  Corps  recognizes  the  importance  of 
information  warfare  in  the  modem  battlespace,  it  is  also  realistic  about  the  resources 


MCWP  3-40.4  Draft,  5. 
MCWP  3-40.4  Draft,  10. 
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needed  to  develop  a  Marine  Corps  specific  capability  that  can  travel  with  the  Marine 
Expeditionary  Force  (MEF),  the  Marine  Expeditionary  Brigade  (MEB),  or  the  Marine 
Expeditionary  Unit  (MEU).  In  the  coordinating  draft  of  Marine  Corps  Warfare 
Publication  3-40.4,  Information  Operations,  commanders  are  advised  not  only  to  just 
familiarize  themselves  with  the  information  warfare  capabilities,  but  that  they  should 
expect  to  have  access  to  information  warfare  tools  available  via  “reachback”  to  national, 
CINC,  or  Joint  Task  Force  (JTF)  level  assets. The  implication  is  that  these  capabilities 
will  not  be  organic  to  the  Marine  Corps  field  units.  Whether  this  is  a  function  of  dollars 
or  fighting  philosophy  is  a  matter  of  debate,  but  an  access  capability  will  still  be  a 
casualty. 

An  argument  can  be  made  now  that  the  relative  small  size  of  the  Marine  Corps 
works  against  itself  as  it  attempts  to  prepare  for  CND  and  CNA-centric 
operations.  As  the  other  services  race  to  establish  organizations  with  a  computer  network 
attack  or  computer  network  defense  orientation,  the  Marine  Corps  is  struggling  to 
compete  for  these  same  types  of  resources.  In  addition,  while  the  much  publicized  6.9 
billion  dollar  Navy  and  Marine  Corps  Intranet  program  will  help  the  Marine  Corps 
modernize  its  information  technology  infrastructure,  the  focus  of  these  funds  will  be  to 
enhance  productivity,  standardize  information  technology  training,  and  improve  data 
transfer  capability.  There  are  few,  if  any,  funds  allocated  for  developing  CND  or  CNA 
capability. 


MCWP  3-40.4  Draft.  6-7. 

“Navy-Marine  Corps  Announce  Intranet  Contract  Award,”  Assistant  Secretary  of  Defense  News  Release, 
06  Oct  2000,  URL:  http://www.c3i.osd.mil/ebpublic/NMCI  contract.pdf.  accessed  21  March  2002. 
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In  spite  of  this,  the  Marine  Corps  eharaeteristie  style  of  quiek  and  violent 
operations  in  land  combat  may  be  an  advantage.  Enemy  forces  will  continue  to  have  less 
time  to  target  critical  network  vulnerabilities  because  of  the  rapid  maneuver  warfare 
ethic;  once  an  adversary  is  identified,  he  will  have  to  try  to  conduct  operations  against 
highly  mobile  targets  in  the  field.  The  threat  may  actually  be  more  pronounced  for  fixed 
bases  and  logistical  sites  that  depend  more  heavily  on  information  technology.  It  will 
certainly  not  be  eliminated,  as  opponents  are  likely  to  seek  out  attractive  fixed  targets 
such  as  fixed  headquarters  sites,  information  technology  network  hubs,  supply  depots, 
and  similar  targets  vice  the  mobile  field  units  such  as  the  MAGTF. 
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